isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Add --disable-log-server and --disable-log-client configure options.

Browse Source 
These can be used to optionally disable building sudo_logsrvd and
support for remote I/O logging in the sudoers plugin respectively.
This commit is contained in:
Todd C. Miller
2020-02-26 13:17:40 -07:00
parent 9cc46f115d
commit 5635c22f6b
11 changed files with 230 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
INSTALL
View File

@@ -370,6 +370,17 @@ Optional features:
platform type. The "pvs-studio" Makefile target can then be platform type. The "pvs-studio" Makefile target can then be
used if PVS-Studio is installed. used if PVS-Studio is installed.
--enable-python
Enable support for sudo plugins written in Python 3.
This requires a Python 3 development environment (including
Python 3 header files).
--disable-log-server
Disable building the sudo_logsrvd log server.
--disable-log-client
Disable sudoers support for using the sudo_logsrvd log server.
Operating system-specific options: Operating system-specific options:
--disable-setreuid --disable-setreuid
Disable use of the setreuid() function for operating systems Disable use of the setreuid() function for operating systems

7
Makefile.in
View File

@@ -53,9 +53,10 @@ sudoers_gid = @SUDOERS_GID@
sudoers_mode = @SUDOERS_MODE@ sudoers_mode = @SUDOERS_MODE@
shlib_mode = @SHLIB_MODE@ shlib_mode = @SHLIB_MODE@
SUBDIRS = lib/util @ZLIB_SRC@ lib/iolog lib/logsrv logsrvd plugins/audit_json \ SUBDIRS = lib/util @ZLIB_SRC@ lib/iolog @LOGSRV@ @LOGSRVD@ \
plugins/group_file plugins/sample_approval plugins/sudoers \ plugins/audit_json plugins/group_file plugins/sample_approval \
plugins/system_group @PYTHON_PLUGIN_SRC@ src include doc examples plugins/sudoers plugins/system_group @PYTHON_PLUGIN_SRC@ src \
include doc examples
SAMPLES = plugins/sample SAMPLES = plugins/sample

4
config.h.in
View File

@@ -1149,6 +1149,10 @@
/* Define to 1 if the code in interfaces.c does not compile for you. */ /* Define to 1 if the code in interfaces.c does not compile for you. */
#undef STUB_LOAD_INTERFACES #undef STUB_LOAD_INTERFACES
/* Define to 1 to compile support for sudo_logsrvd in the sudoers I/O log
plugin. */
#undef SUDOERS_IOLOG_CLIENT
/* An instance string to append to the username (separated by a slash) for /* An instance string to append to the username (separated by a slash) for
Kerberos V authentication. */ Kerberos V authentication. */
#undef SUDO_KRB5_INSTANCE #undef SUDO_KRB5_INSTANCE

57
configure vendored
View File

@@ -736,6 +736,9 @@ rundir
logpath logpath
log_dir log_dir
iolog_dir iolog_dir
LOGSRVD
LIBLOGSRV
LOGSRV
PYTHON_PLUGIN_SRC PYTHON_PLUGIN_SRC
SIGNAME SIGNAME
devsearch devsearch
@@ -987,6 +990,8 @@ enable_offensive_insults
enable_package_build enable_package_build
enable_gss_krb5_ccache_name enable_gss_krb5_ccache_name
enable_pvs_studio enable_pvs_studio
enable_log_server
enable_log_client
enable_shared enable_shared
enable_static enable_static
with_pic with_pic
@@ -1682,6 +1687,9 @@ Optional Features:
--enable-gss-krb5-ccache-name --enable-gss-krb5-ccache-name
Use GSS-API to set the Kerberos V cred cache name Use GSS-API to set the Kerberos V cred cache name
--enable-pvs-studio Create a PVS-Studio.cfg file. --enable-pvs-studio Create a PVS-Studio.cfg file.
--disable-log-server Disable building the sudo_logsrvd log server.
--disable-log-client Disable sudoers support for using the sudo_logsrvd
log server.
--enable-shared[=PKGS] build shared libraries [default=yes] --enable-shared[=PKGS] build shared libraries [default=yes]
--enable-static[=PKGS] build static libraries [default=yes] --enable-static[=PKGS] build static libraries [default=yes]
--enable-fast-install[=PKGS] --enable-fast-install[=PKGS]
@@ -3108,6 +3116,9 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
@@ -3207,6 +3218,9 @@ shadow_funcs=
shadow_libs= shadow_libs=
TMPFILES_D= TMPFILES_D=
CONFIGURE_ARGS="$@" CONFIGURE_ARGS="$@"
LOGSRVD=logsrvd
LOGSRV=lib/logsrv
LIBLOGSRV='$(top_builddir)/lib/logsrv/liblogsrv.la'
RTLD_PRELOAD_VAR="LD_PRELOAD" RTLD_PRELOAD_VAR="LD_PRELOAD"
RTLD_PRELOAD_ENABLE_VAR= RTLD_PRELOAD_ENABLE_VAR=
@@ -6921,6 +6935,48 @@ if test "${enable_pvs_studio+set}" = set; then :
fi fi
# Check whether --enable-log-server was given.
if test "${enable_log_server+set}" = set; then :
enableval=$enable_log_server; case "$enableval" in
yes)
;;
no)
LOGSRVD=
;;
*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-log-server: $enableval" >&5
$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-log-server: $enableval" >&2;}
;;
esac
fi
# Check whether --enable-log-client was given.
if test "${enable_log_client+set}" = set; then :
enableval=$enable_log_client; case "$enableval" in
yes)
$as_echo "#define SUDOERS_IOLOG_CLIENT 1" >>confdefs.h
;;
no)
;;
*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-log-client: $enableval" >&5
$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-log-client: $enableval" >&2;}
;;
esac
else
$as_echo "#define SUDOERS_IOLOG_CLIENT 1" >>confdefs.h
fi
if test X"$enable_log_server" = X"no" -a X"$enable_log_client" = X"no"; then
# No need for liblogsrv.la
LOGSRV=
LIBLOGSRV=
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing strerror" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing strerror" >&5
$as_echo_n "checking for library containing strerror... " >&6; } $as_echo_n "checking for library containing strerror... " >&6; }
if ${ac_cv_search_strerror+:} false; then : if ${ac_cv_search_strerror+:} false; then :
@@ -30040,5 +30096,6 @@ fi

39
configure.ac
View File

@@ -116,6 +116,9 @@ AC_SUBST([DIGEST])
AC_SUBST([devsearch]) AC_SUBST([devsearch])
AC_SUBST([SIGNAME]) AC_SUBST([SIGNAME])
AC_SUBST([PYTHON_PLUGIN_SRC]) AC_SUBST([PYTHON_PLUGIN_SRC])
AC_SUBST([LOGSRV])
AC_SUBST([LIBLOGSRV])
AC_SUBST([LOGSRVD])
dnl dnl
dnl Variables that get substituted in docs (not overridden by environment) dnl Variables that get substituted in docs (not overridden by environment)
@@ -264,6 +267,9 @@ shadow_funcs=
shadow_libs= shadow_libs=
TMPFILES_D= TMPFILES_D=
CONFIGURE_ARGS="$@" CONFIGURE_ARGS="$@"
LOGSRVD=logsrvd
LOGSRV=lib/logsrv
LIBLOGSRV='$(top_builddir)/lib/logsrv/liblogsrv.la'
dnl dnl
dnl LD_PRELOAD equivalents dnl LD_PRELOAD equivalents
@@ -1644,6 +1650,38 @@ AC_ARG_ENABLE(gss_krb5_ccache_name,
AC_ARG_ENABLE(pvs-studio, AC_ARG_ENABLE(pvs-studio,
[AS_HELP_STRING([--enable-pvs-studio], [Create a PVS-Studio.cfg file.])]) [AS_HELP_STRING([--enable-pvs-studio], [Create a PVS-Studio.cfg file.])])
AC_ARG_ENABLE(log-server,
[AS_HELP_STRING([--disable-log-server], [Disable building the sudo_logsrvd log server.])],
[ case "$enableval" in
yes)
;;
no)
LOGSRVD=
;;
*) AC_MSG_WARN([Ignoring unknown argument to --enable-log-server: $enableval])
;;
esac
])
AC_ARG_ENABLE(log-client,
[AS_HELP_STRING([--disable-log-client], [Disable sudoers support for using the sudo_logsrvd log server.])],
[ case "$enableval" in
yes)
AC_DEFINE([SUDOERS_IOLOG_CLIENT])
;;
no)
;;
*) AC_MSG_WARN([Ignoring unknown argument to --enable-log-client: $enableval])
;;
esac
], [AC_DEFINE([SUDOERS_IOLOG_CLIENT])])
if test X"$enable_log_server" = X"no" -a X"$enable_log_client" = X"no"; then
# No need for liblogsrv.la
LOGSRV=
LIBLOGSRV=
fi
dnl dnl
dnl C compiler checks dnl C compiler checks
dnl dnl
@@ -4755,6 +4793,7 @@ AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.]) AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.])
AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.]) AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
AH_TEMPLATE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION, [Define to 1 if you have the `SSL_CTX_set_min_proto_version' function or macro.]) AH_TEMPLATE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION, [Define to 1 if you have the `SSL_CTX_set_min_proto_version' function or macro.])
AH_TEMPLATE(SUDOERS_IOLOG_CLIENT, [Define to 1 to compile support for sudo_logsrvd in the sudoers I/O log plugin.])
dnl dnl
dnl Bits to copy verbatim into config.h.in dnl Bits to copy verbatim into config.h.in

2
lib/iolog/iolog_fileio.c
View File

@@ -542,6 +542,8 @@ iolog_mkpath(char *path)
else else
ret = iolog_mkdirs(path); ret = iolog_mkdirs(path);
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "iolog path %s", path);
debug_return_bool(ret); debug_return_bool(ret);
} }

2
plugins/sudoers/Makefile.in
View File

@@ -58,7 +58,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@
# Libraries # Libraries
LIBUTIL = $(top_builddir)/lib/util/libsudo_util.la LIBUTIL = $(top_builddir)/lib/util/libsudo_util.la
LIBIOLOG = $(top_builddir)/lib/iolog/libsudo_iolog.la LIBIOLOG = $(top_builddir)/lib/iolog/libsudo_iolog.la
LIBLOGSRV = $(top_builddir)/lib/logsrv/liblogsrv.la LIBLOGSRV = @LIBLOGSRV@
LIBS = $(LIBUTIL) LIBS = $(LIBUTIL)
NET_LIBS = @NET_LIBS@ NET_LIBS = @NET_LIBS@
SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBTLS@ $(NET_LIBS) $(LIBIOLOG) $(LIBLOGSRV) SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBTLS@ $(NET_LIBS) $(LIBIOLOG) $(LIBLOGSRV)

138
plugins/sudoers/iolog.c
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2009-2019 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2009-2020 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@@ -57,16 +57,28 @@ static struct iolog_file iolog_files[] = {
{ true, }, /* IOFD_TIMING */ { true, }, /* IOFD_TIMING */
}; };
static struct sudoers_io_operations {
int (*open)(struct timespec *now);
void (*close)(int exit_status, int error, const char **errstr);
int (*log)(int event, const char *buf, unsigned int len,
struct timespec *delay, const char **errstr);
int (*change_winsize)(unsigned int lines, unsigned int cols,
struct timespec *delay, const char **errstr);
int (*suspend)(const char *signame, struct timespec *delay,
const char **errstr);
} io_operations;
#ifdef SUDOERS_IOLOG_CLIENT
static struct client_closure client_closure = CLIENT_CLOSURE_INITIALIZER(client_closure); static struct client_closure client_closure = CLIENT_CLOSURE_INITIALIZER(client_closure);
#endif
static struct iolog_details iolog_details; static struct iolog_details iolog_details;
static bool warned = false; static bool warned = false;
static struct timespec last_time; static struct timespec last_time;
static void sudoers_io_setops(void);
/* sudoers_io is declared at the end of this file. */ /* sudoers_io is declared at the end of this file. */
extern __dso_public struct io_plugin sudoers_io; extern __dso_public struct io_plugin sudoers_io;
#define iolog_remote (client_closure.sock != -1)
/* /*
* Sudoers callback for maxseq Defaults setting. * Sudoers callback for maxseq Defaults setting.
*/ */
@@ -522,7 +534,7 @@ copy_vector_shallow(char * const *vec)
} }
static int static int
sudoers_io_open_local(void) sudoers_io_open_local(struct timespec *now)
{ {
char iolog_path[PATH_MAX], sessid[7]; char iolog_path[PATH_MAX], sessid[7];
size_t len; size_t len;
@@ -594,12 +606,12 @@ done:
debug_return_int(ret); debug_return_int(ret);
} }
#ifdef SUDOERS_IOLOG_CLIENT
static int static int
sudoers_io_open_remote(void) sudoers_io_open_remote(struct timespec *now)
{ {
int sock, ret = -1; int sock, ret = -1;
struct sudoers_string *connected_server = NULL; struct sudoers_string *connected_server = NULL;
debug_decl(sudoers_io_open_remote, SUDOERS_DEBUG_PLUGIN); debug_decl(sudoers_io_open_remote, SUDOERS_DEBUG_PLUGIN);
/* Connect to log server. */ /* Connect to log server. */
@@ -611,7 +623,7 @@ sudoers_io_open_remote(void)
goto done; goto done;
} }
if (!client_closure_fill(&client_closure, sock, connected_server, if (!client_closure_fill(&client_closure, sock, connected_server, now,
&iolog_details, &sudoers_io)) { &iolog_details, &sudoers_io)) {
close(sock); close(sock);
goto done; goto done;
@@ -622,8 +634,11 @@ sudoers_io_open_remote(void)
ret = 1; ret = 1;
done: done:
if (ret != 1)
client_closure_free(&client_closure);
debug_return_int(ret); debug_return_int(ret);
} }
#endif /* SUDOERS_IOLOG_CLIENT */
static int static int
sudoers_io_open(unsigned int version, sudo_conv_t conversation, sudoers_io_open(unsigned int version, sudo_conv_t conversation,
@@ -686,14 +701,17 @@ sudoers_io_open(unsigned int version, sudo_conv_t conversation,
} }
} }
if (sudo_gettime_awake(&last_time) == -1) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
"%s: unable to get time of day", __func__);
goto done;
}
/* /*
* Create local I/O log file or connect to remote log server. * Create local I/O log file or connect to remote log server.
*/ */
if (sudoers_io.event_alloc != NULL && iolog_details.log_servers != NULL) sudoers_io_setops();
ret = sudoers_io_open_remote(); if ((ret = io_operations.open(&last_time)) != true)
else
ret = sudoers_io_open_local();
if (ret != true)
goto done; goto done;
/* /*
@@ -710,17 +728,8 @@ sudoers_io_open(unsigned int version, sudo_conv_t conversation,
if (!iolog_files[IOFD_TTYOUT].enabled) if (!iolog_files[IOFD_TTYOUT].enabled)
sudoers_io.log_ttyout = NULL; sudoers_io.log_ttyout = NULL;
if (sudo_gettime_awake(&last_time) == -1) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
"%s: unable to get time of day", __func__);
goto done;
}
if (iolog_remote)
client_closure.start_time = last_time;
done: done:
if (ret != true) { if (ret != true) {
client_closure_free(&client_closure);
sudo_freepwcache(); sudo_freepwcache();
sudo_freegrcache(); sudo_freegrcache();
} }
@@ -732,22 +741,40 @@ done:
debug_return_int(ret); debug_return_int(ret);
} }
static void
sudoers_io_close_local(int exit_status, int error, const char **errstr)
{
int i;
debug_decl(sudoers_io_close_local, SUDOERS_DEBUG_PLUGIN);
for (i = 0; i < IOFD_MAX; i++) {
if (iolog_files[i].fd.v == NULL)
continue;
iolog_close(&iolog_files[i], errstr);
}
debug_return;
}
#ifdef SUDOERS_IOLOG_CLIENT
static void
sudoers_io_close_remote(int exit_status, int error, const char **errstr)
{
debug_decl(sudoers_io_close_remote, SUDOERS_DEBUG_PLUGIN);
client_close(&client_closure, exit_status, error);
debug_return;
}
#endif
static void static void
sudoers_io_close(int exit_status, int error) sudoers_io_close(int exit_status, int error)
{ {
const char *errstr = NULL; const char *errstr = NULL;
int i;
debug_decl(sudoers_io_close, SUDOERS_DEBUG_PLUGIN); debug_decl(sudoers_io_close, SUDOERS_DEBUG_PLUGIN);
if (iolog_remote) { io_operations.close(exit_status, error, &errstr);
client_close(&client_closure, exit_status, error);
} else {
for (i = 0; i < IOFD_MAX; i++) {
if (iolog_files[i].fd.v == NULL)
continue;
iolog_close(&iolog_files[i], &errstr);
}
}
sudo_freepwcache(); sudo_freepwcache();
sudo_freegrcache(); sudo_freegrcache();
@@ -824,6 +851,7 @@ done:
debug_return_int(ret); debug_return_int(ret);
} }
#ifdef SUDOERS_IOLOG_CLIENT
/* /*
* Schedule an I/O log entry to be written to the log server. * Schedule an I/O log entry to be written to the log server.
* Returns 1 on success and -1 on error. * Returns 1 on success and -1 on error.
@@ -872,6 +900,7 @@ sudoers_io_log_remote(int event, const char *buf, unsigned int len,
done: done:
debug_return_int(ret); debug_return_int(ret);
} }
#endif /* SUDOERS_IOLOG_CLIENT */
/* /*
* Generic I/O logging function. Called by the I/O logging entry points. * Generic I/O logging function. Called by the I/O logging entry points.
@@ -893,10 +922,7 @@ sudoers_io_log(const char *buf, unsigned int len, int event, const char **errstr
} }
sudo_timespecsub(&now, &last_time, &delay); sudo_timespecsub(&now, &last_time, &delay);
if (iolog_remote) ret = io_operations.log(event, buf, len, &delay, &ioerror);
ret = sudoers_io_log_remote(event, buf, len, &delay, &ioerror);
else
ret = sudoers_io_log_local(event, buf, len, &delay, &ioerror);
last_time.tv_sec = now.tv_sec; last_time.tv_sec = now.tv_sec;
last_time.tv_nsec = now.tv_nsec; last_time.tv_nsec = now.tv_nsec;
@@ -983,6 +1009,7 @@ done:
debug_return_int(ret); debug_return_int(ret);
} }
#ifdef SUDOERS_IOLOG_CLIENT
static int static int
sudoers_io_change_winsize_remote(unsigned int lines, unsigned int cols, sudoers_io_change_winsize_remote(unsigned int lines, unsigned int cols,
struct timespec *delay, const char **errstr) struct timespec *delay, const char **errstr)
@@ -1005,6 +1032,7 @@ sudoers_io_change_winsize_remote(unsigned int lines, unsigned int cols,
debug_return_int(ret); debug_return_int(ret);
} }
#endif /* SUDOERS_IOLOG_CLIENT */
static int static int
sudoers_io_change_winsize(unsigned int lines, unsigned int cols, const char **errstr) sudoers_io_change_winsize(unsigned int lines, unsigned int cols, const char **errstr)
@@ -1022,10 +1050,7 @@ sudoers_io_change_winsize(unsigned int lines, unsigned int cols, const char **er
} }
sudo_timespecsub(&now, &last_time, &delay); sudo_timespecsub(&now, &last_time, &delay);
if (iolog_remote) ret = io_operations.change_winsize(lines, cols, &delay, &ioerror);
ret = sudoers_io_change_winsize_remote(lines, cols, &delay, &ioerror);
else
ret = sudoers_io_change_winsize_local(lines, cols, &delay, &ioerror);
last_time.tv_sec = now.tv_sec; last_time.tv_sec = now.tv_sec;
last_time.tv_nsec = now.tv_nsec; last_time.tv_nsec = now.tv_nsec;
@@ -1082,6 +1107,7 @@ done:
debug_return_int(ret); debug_return_int(ret);
} }
#ifdef SUDOERS_IOLOG_CLIENT
static int static int
sudoers_io_suspend_remote(const char *signame, struct timespec *delay, sudoers_io_suspend_remote(const char *signame, struct timespec *delay,
const char **errstr) const char **errstr)
@@ -1104,6 +1130,7 @@ sudoers_io_suspend_remote(const char *signame, struct timespec *delay,
debug_return_int(ret); debug_return_int(ret);
} }
#endif /* SUDOERS_IOLOG_CLIENT */
static int static int
sudoers_io_suspend(int signo, const char **errstr) sudoers_io_suspend(int signo, const char **errstr)
@@ -1129,10 +1156,7 @@ sudoers_io_suspend(int signo, const char **errstr)
sudo_timespecsub(&now, &last_time, &delay); sudo_timespecsub(&now, &last_time, &delay);
/* Write suspend event to the timing file. */ /* Write suspend event to the timing file. */
if (iolog_remote) ret = io_operations.suspend(signame, &delay, &ioerror);
ret = sudoers_io_suspend_remote(signame, &delay, &ioerror);
else
ret = sudoers_io_suspend_local(signame, &delay, &ioerror);
last_time.tv_sec = now.tv_sec; last_time.tv_sec = now.tv_sec;
last_time.tv_nsec = now.tv_nsec; last_time.tv_nsec = now.tv_nsec;
@@ -1162,6 +1186,34 @@ bad:
debug_return_int(ret); debug_return_int(ret);
} }
/*
* Fill in the contents of io_operations, either local or remote.
*/
static void
sudoers_io_setops(void)
{
debug_decl(sudoers_io_setops, SUDOERS_DEBUG_PLUGIN);
#ifdef SUDOERS_IOLOG_CLIENT
if (sudoers_io.event_alloc != NULL && iolog_details.log_servers != NULL) {
io_operations.open = sudoers_io_open_remote;
io_operations.close = sudoers_io_close_remote;
io_operations.log = sudoers_io_log_remote;
io_operations.change_winsize = sudoers_io_change_winsize_remote;
io_operations.suspend = sudoers_io_suspend_remote;
} else
#endif /* SUDOERS_IOLOG_CLIENT */
{
io_operations.open = sudoers_io_open_local;
io_operations.close = sudoers_io_close_local;
io_operations.log = sudoers_io_log_local;
io_operations.change_winsize = sudoers_io_change_winsize_local;
io_operations.suspend = sudoers_io_suspend_local;
}
debug_return;
}
__dso_public struct io_plugin sudoers_io = { __dso_public struct io_plugin sudoers_io = {
SUDO_IO_PLUGIN, SUDO_IO_PLUGIN,
SUDO_API_VERSION, SUDO_API_VERSION,

11
plugins/sudoers/iolog_client.c
View File

@@ -16,6 +16,8 @@
#include "config.h" #include "config.h"
#ifdef SUDOERS_IOLOG_CLIENT
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/socket.h> #include <sys/socket.h>
@@ -1536,8 +1538,8 @@ bad:
*/ */
bool bool
client_closure_fill(struct client_closure *closure, int sock, client_closure_fill(struct client_closure *closure, int sock,
const struct sudoers_string *host, struct iolog_details *details, const struct sudoers_string *host, struct timespec *now,
struct io_plugin *sudoers_io) struct iolog_details *details, struct io_plugin *sudoers_io)
{ {
union { union {
struct sockaddr sa; struct sockaddr sa;
@@ -1552,6 +1554,9 @@ client_closure_fill(struct client_closure *closure, int sock,
closure->sock = -1; closure->sock = -1;
closure->state = RECV_HELLO; closure->state = RECV_HELLO;
closure->start_time.tv_sec = now->tv_sec;
closure->start_time.tv_nsec = now->tv_nsec;
closure->read_buf.size = 64 * 1024; closure->read_buf.size = 64 * 1024;
closure->read_buf.data = malloc(closure->read_buf.size); closure->read_buf.data = malloc(closure->read_buf.size);
if (closure->read_buf.data == NULL) if (closure->read_buf.data == NULL)
@@ -1674,3 +1679,5 @@ done:
client_closure_free(closure); client_closure_free(closure);
debug_return_bool(ret); debug_return_bool(ret);
} }
#endif /* SUDOERS_IOLOG_CLIENT */

2
plugins/sudoers/iolog_plugin.h
View File

@@ -149,7 +149,7 @@ struct client_closure {
#endif /* HAVE_OPENSSL */ #endif /* HAVE_OPENSSL */
/* iolog_client.c */ /* iolog_client.c */
bool client_closure_fill(struct client_closure *closure, int sock, const struct sudoers_string *host, struct iolog_details *details, struct io_plugin *sudoers_io); bool client_closure_fill(struct client_closure *closure, int sock, const struct sudoers_string *host, struct timespec *now, struct iolog_details *details, struct io_plugin *sudoers_io);
bool client_close(struct client_closure *closure, int exit_status, int error); bool client_close(struct client_closure *closure, int exit_status, int error);
bool fmt_accept_message(struct client_closure *closure); bool fmt_accept_message(struct client_closure *closure);
bool fmt_client_message(struct client_closure *closure, ClientMessage *msg); bool fmt_client_message(struct client_closure *closure, ClientMessage *msg);

8
plugins/sudoers/sudoers.c
View File

@@ -117,6 +117,12 @@ static struct rlimit nproclimit;
int NewArgc; int NewArgc;
char **NewArgv; char **NewArgv;
#ifdef SUDOERS_IOLOG_CLIENT
# define remote_iologs (!SLIST_EMPTY(&def_log_servers))
#else
# define remote_iologs 0
#endif
/* /*
* Unlimit the number of processes since Linux's setuid() will * Unlimit the number of processes since Linux's setuid() will
* apply resource limits when changing uid and return EAGAIN if * apply resource limits when changing uid and return EAGAIN if
@@ -541,7 +547,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
} }
} }
if (ISSET(sudo_mode, (MODE_RUN | MODE_EDIT)) && SLIST_EMPTY(&def_log_servers)) { if (ISSET(sudo_mode, (MODE_RUN | MODE_EDIT)) && !remote_iologs) {
if ((def_log_input || def_log_output) && def_iolog_file && def_iolog_dir) { if ((def_log_input || def_log_output) && def_iolog_file && def_iolog_dir) {
if ((iolog_path = format_iolog_path()) == NULL) { if ((iolog_path = format_iolog_path()) == NULL) {
if (!def_ignore_iolog_errors) if (!def_ignore_iolog_errors)